- Email: [email protected]
DISTRIBUTED ON-LINE DIGITIZED CONTROL ARCHITECTURES FOR PROCESS CONTROL
Copyright © IFAC Digital Computer Applications to Process Control, Vienna, Austria, 1985
DISTRIBUTED ON-LINE DIGITIZED CONTROL ARCHITECTURES FOR PROCESS CONTROL S. Sedillot Inria, BP 105 78153, Le Chesnay Cedex, France ABSTRACT A tremendous amount of investigations and realisations has been carried on for the last ten years in the domains of communication media and protocols, distributed database management, distributed operating systems and reliability resulting in significant progresses towards standardization. However, most of these results apply to on-line systems and relatively very little of this work is related to hard-real-time environments whereby specified bounds on processing delays are stringent and ranging from few millisecunds to few hundreds of millisecunds. Based on the ISO OSI-Reference Model analysis, rationale are presented for a reliable connectionless-mode, message due-date-dependant qualities of services and flexible conversation protocols above the transport layer. So as to support time-dependant transmission protocols, it is shown that the IEEE 802 Local Area Network standards must be enhanced in order to provide message transmission scheduling based on message due-dates. A task priority is defined as a function of both its static priority and its due-date. Data access serialization induces precedence constraints on task scheduling. Task resource allocation conflicts are solved though a unique task-priority-dependant resolution rule. Keywords : Process-Control ; Standards ; Time dependant priorities ; communication ; distributed operating system.
1. INTRODUCTION
2. DISTRIBUTED TASKS IN PROCESS CONTROL
Process monitoring and controlling architectures using interconnected computers have been already designed within the last twenty years, mainly in nuclear plants and defense environments. A tremendous amount of investigations and realisations has been carried on for the last ten years in the domains of communication media and protocols, distributed database management, distributed operating systems and reliability, resulting in significant progresses towards standardization. Thus, one can now more clearly specify both fundamental requirements for distributed systems users and families of mecanisms that are offered to solve them. However, most of these results apply to on-line systems for mailing, file-transfer, database requests and remote task executions. Expected response time is in the order of few secunds and may occasionally substantially increase. Relatively, very little work is related to hard-real-time environments whereby specified bounds on processing delays are stringent and ranging from few millisecunds to few hundreds of millisecunds. That is not say that results from networking in on-line environments do not apply whatsoever to hardreal-time ones. Precisely the scope of this paper is to present an overview on local on-line distributed systems mecanisms and state enhancements that must and may be brought to them, should they be used in a hard-real-time environments. In chapter 2 we give definitions concerning distributed tasks requirements in Process Control. Chapter 3 discusses the ability of the ISO standard proposals in supporting hard-real-time systems such as Process Control. Chapter k discusses ability of the IEEE 802 Model to support hard-real-time transmissions. Chapter 5 states enhancements to transmission protocols at level 1 and 2 (according to their defintion in the ISO and IEEE 802 models) so as to offer given transmission delays according to message qualification. Chapter 6 focusses on services that must be incorporated in distributed operating systems such as tasks scheduling, faulttolerance, serialization of concurrent data accesses so as to guarantee specified execution delays.
A distributed task is a set of synchronized subtasks, each of which must be executed on a dedicated device (Micro processor, multiprocessor or computer). Subtasks belonging to the same task are synchronized by message exchanges and/or timing constraints. Because of obvious reliability and geographical contraints, interconnected devices share no common memory. A subtask is a set of specified operations including sensor reading, output to actuators, data accesses (read, write, read-write, create, cancel) and exception handling. Although we should not restrict to that type of task, the catalogued type is the most frequently used. For a catalogued task, all subtasks (sequence of operations) are predetermined and described in system catalogs. In particular, subtask maximum execution times are provided. Tasks arrival times, that is the time at which they are submitted for execution, may be either unpredetermined or predetermined (e.g. periodical tasks). Tasks due dates are specified at their arrival time. Due to a task subtasks synchronization, each subtask has an earliest start-time and a due-date. A task is correctly executed if both its results (including outputs to actuators) are correct and the task is completed before its specified due date. Whenever a task is not correct, it is considered as a fault. In consequence, distributed operating systems and communication systems supporting Process Control are required to : - Schedule messages and subtasks, - Perform promptness control inducing late task rejection, - Offer fault-tolerance mecanisms guaranteeing that a specified rejection rate will not be exceeded, - Maintain their scheduling and fault-tolerance performances in spite of configuration changes (failed devices) and bursts of load (messages and tasks), provided these do not exceed specified characteristics.
575
S. Sedillot
576
3. ISO STANDARD CONTROL
PROPOSALS
AND
PROCESS
ISO (1981) specifies a basic Reference Model for data processing in Open Systems Interconnection (OSI-RM). The basic structuring concept is layering (figure 1). Each connected device (system) is seen as an ordered set of layered subsystems. Subsystems of the same layer communicate on a peer-to-peer basis via protocols (figure 1). Layer-(i) subsystems provide a set of normalized services to l a y e r - ( i + l ) subsystems.
7. Application 6. Presentation! 5. Session
■ff
4. Transport
Layer 5 U Services •Layer 5 — Protocol
4f
3. Network 2. Data link 1. Physical
Four services p r i m i t i v e s (ISO, 1984, June 1) define layer(i) interface w i t h l a y e r - ( i + l ) , which are, (i)-REQUEST and (i)-CONFIRM for a t r a n s m i t t i n g site, (i)-INDICATION and (i)-RESPONSE for a destination site (figure 2). Whether there exists a relationship between iRESPONSE and i-CONFIRM is protocol specification dependant.
(i)
d)
- REQUEST
- CONFIRM
The use of connectionless-mode transmission (ISO 1984, June, 2 ; ISO 1984, Aug.) is admitted at each layer. It permits to transmit a data unit (datagram) to one or more destinations. It is specified that a single service p r i m i t i v e should contain all the i n f o r m a t i o n required to deliver the datagram (destination address, quality of service selection, etc). Because of lack of resource, a destination subsystem may discard the datagram. Optionally, the destination subsystem may r e t u r n positive or negative acknowledgment to the t r a n s m i t t i n g subsystem. No retransmission function is provided, hence data unit retention at the t r a n s m i t t i n g site is not o f f e r e d . There are no a r c h i t e c t u r a l constraints on any v e r t i c a l combination of an (i)-layer providing one type of (i)service (connection-mode or connectionless-mode) using the other type of ( i - l ) - s e r v i c e . Layers 4 and 3 (Transport and Network) may provide conversion f r o m one service type to the other.
Figure 1 : The OSI-RM
Source Layer (i-s-1)
t w o communicating subsystems. A context contains the connection i d e n t i f i c a t i o n (it must be unique in the system during its lifetime), exchanged data units and acknowledgments references as w e l l as credits values for flow-control. A l l so-called management functions (buffer, CPU and peripherals allocation, data access consistency, network monitoring and controlling) are located in the application layer.
Destination , / . xLayer (i-:-l) Layer ( I ) 3
time
Figure 2 : Time-sequence diagram and p r i m i t i v e s in the OSI-RM Seven layers are defined that provide respectively f r o m layer 1 to layer 7, physical medium access, data link protocol (essentially f r a m i n g , m u l t i p l e x i n g , error and flow control on frames exchanged between two devices), network routing if any (including v i r t u a l c i r c u i t s establishment and management), transport services (namely f r a g m e n t a t i o n and reassembly, error and f l o w control on messages exchanged between two application processes), session services (conversation specificities between two remote applications), presentation services (agreement on how to represent data that have same semantics and different syntaxes within two communicating application processes) and f i n a l l y the application layer where the user processes reside. Error and f l o w - c o n t r o l require a connection management between two subsystems of the same layer. A connection is materialized by its context in each of the
(ISO. 1983, Oct) specifies four classes of transport connection management each of which includes connection establishment/release services and positive/negative acknowledgment of t r a n s m i t t e d data units ; they d i f f e r by the including or excluding of the t r a n s m i t t e d data unit retention f a c i l i t y , the expedited data f a c i l i t y (expedited data by-pass regular data units w a i t i n g t o be processed), resequencing at destination (delivering in the transmission order), connection recovery (connection re-establishment in case of layer 3 disconnection), flow control, multiplexing several transport connections onto a single network connection, retransmission on t i m o u t and concatenation of several data units belonging t o one or d i f f e r e n t transport connections into a single data unit delivered to layer 3. Connection-mode of transmissions in the network layer (ISO, 1983, Nov) and in the data-link layer (ISO, 1984, A p r i l , 2) are based on the same mecanisms. The Process-Control community l e g i t i m a c y expects the connection-mode t o induce a significant overhead on messages transit t i m e and consider that LANs physical media o f f e r a higher r e l i a b i l i t y than long haul networks. Therefore there emerges among them (Bryant, 1984 ; Kummer, 1984 ; Saltzer, 1981) a trend t o use connectionless-mode at layer 2 and 3 and connectionmode at layer 4. This a t t i t u d e is strenghtened by i n t e r n e t w o r k i n g necessities (Kummer, 1984 ; Cerf, 1983) : in that s i t u a t i o n , an end-to-end transport protocol is mandatory and therefore a connectionless-mode at layer 3 and 2 in each of the interconnected subnetworks seems s u f f i c i e n t in terms of r e l i a b i l i t y . Consequently, supporters of this approache argue for introducing in the connectionless-mode the retransmission facilities, eventhough they may be used optionally. Note that none of these statements exclude connection/connectionless-mode conversions on layers 3 f o r those devices that are used as gateways to either common carrier networks using X25 v i r t u a l circuits or t o any other connection oriented network. (ISO, 1983, March ; ISO, 1984, A p r i l 1 ; ISO, 1984, A p r i l , 2) define qualities of service offered by layers 4, 3 and 2 respectively. These are mean or maximum transit delay, throughput, error r a t e , connection l i f e t i m e e t c . Given their o f f e r e d value by the (i)-layer, layer-(i) users may negotiate smaller or larger values. Qualities of service are set once for a l l at the t i m e a connection is established
Distributed On-line Digitized Control Architectures
and must not be changed during the connection lifetime. In connectionless-mode, each transmit request contains the requested quality of service. Although these proposals are not yet frozen, hard-real-time environments users consider them not flexible enough. The FIFO ordering of messages in waiting queues (ISO, 1984, April, 2) and the fixed message class priority scheme (ISO, 1983, March) exclude transmission scheduling according to message-specific timedependant priorities. The last observation is made in regards of Process Control concerning the need to introduce at some layer (4, or 5) a conversation management. A conversation is an application dependant set of communiation rules between any given number of application processes. Conversation types may have different, not to say exclusive, properties. This is supported by Kummer (1984), Chang (1984), Bryant (1984), concerning broadcast or multicast of packetised voice, voting facility on replicated messages, procedural calls, periodical transmissions, e t c . This observation conforts the preference given to connectionless-mode at layer 3 and 2 and possibly at layer 4. 4. IEEE-802 PROPOSALS AND PROCESS CONTROL Both the proliferation of applications relying on LANs (particularly in the domain of office-automation) and manufacturers dynamism on preparing chips integrating lower levels (2 and 1) for accessing coaxial cable, have led the IEEE-802 Committee to coordinate LANs standards elaboration including layer 2, 1 and 0, namely Logical Link Level (LLC), Medium Access Control (MAC) and Physical level respectively. IEEE-802 proposals and ISO proposals are closely related. Physical media proposals rely on 1) 75 ohm CATV coaxial cable bus with modem and analog signaling which are domestically deployed in the USA, 2) baseband with digital signaling coaxial cables ranging from 4 to 40 Mbits/s and future use of optical fibers (Stalling 1984). Because we will discuss throuroughly MAC proposals, let us consider LLC proposal first. The IEEE 802 draft states clearly that real-time constraints are still out of scope. Connection and unacknowledged connectionless services are considered. They use the standard HDLC asynchroneous balanced mode of operation (Stallings, 1984). Three Medium Access Controls are in the scope of IEEE802, two of which, namely the token bus and the CSMACD have been already approved, the third beeing the token ring. . The token passing method consists in a special frame format (token) that circulates among devices granting to the owning device the exclusive right to transmit. .. The token ring is supported by IBM (Bux, 1982 ; Strole, 1983). The token circulates basically in a round-robin fashion, giving the right to transmit to successive devices on the ring. However for a non-upper-bounded period of time, a set of devices with priority p (7 priority level) may prevent any device with lower priority to access the channel. The use of priorities in relation with pending message delivery due dates is not addressed. Monitoring and controlling a unique token aliveness is performed by a dedicated device : the monitor. Lost token detection is based on a timout whose value depends on the number of devices. A passive monitor device monitors the token circulation and turns into monitor whenever it detects a token-related error. The monitor can preempt the token as it passesby and allocate it to devices that have declared periodical traffic .. This centralized controlling of the bus is avoided in the token bus access method. Each station has supervisory functions. The drawback is complexity of protocols so as prevent multiple token generation. The supervision
577
protocol also periodically uses the token to enquiry whether any new device has deleted or wishes to enter the logical ring. Devices are assigned logical positions in an ordered sequence with the last member of the sequence followed by the first. Optionally, one out of three priority classes is assigned to message (Stalling, 1983). Starvation may occur for messages in the two lower classes. The CSMA access method - popularized by Xerox Ethernet - is attractive in that it needs neither monitoring nor controlling special frames or newly logged out/on devices. It is based on the following medium access mecanism : listen and wait until the medium is idle then transmit, listen for collision detection during a period of time at least equal to twice the end-to-end propagation delay on the medium, ; If collision is detected, then stop transmission wait a random amount of time - backoff -and try again, starting with listening until the medium is idle. CSMA major drawbacks are 1) the starvation occurence due to the binary exponential back-off solution that doubles the backoff value before each repeated attempt to transmit the same frame, 2) the low performances in terms of medium utilisation when the ratio S*C/L increases, where S is the estimated time for collision detection, C the channel transmission speed and L the transmitted data unit length (Tobagi, 1982,1). 3) The message exponentially growing transmit time when the number of active devices increases. In counterpart, at low load, CSMA offers shorter transmit time -token passing is spared-and it is not sensitive to the number of connected devices (Nadkarni, 1983). Clearly none of the three methods is specifically designed for real-time applications (Le Lann, 1983). Given the market field, each has its supporters and chips embedding access method and LLC are currently commercialised or announced by manufacturers : DEC, INTEL, UngermannBass, Fujitsu, etc. (Hindin 1982) propose Ethernet, IBM supports the token ring whereas Philips and Concord data system support the token bus. One argument for the CSMA solution is that a tremendous amount of work is currently performed to offer CSMA upper-bounded collisions resolution times, some of which are compatible whith CSMA chips and necessitate only software added-value, as presented below. Note that both baseband and broadband media can support either of the CSMA or the token bus access methods. They only differ on physical signaling and capacity aspects. 5. ENHANCEMENTS TO TRANSMISSION PROTOCOLS AT LEVEL 1 AND 2 FOR HARD REAL-TIME ENVIRONMENTS Inherent to Process Control is the obligation for transmission protocols to assume that each message must be either delivered before its specified delivery due date or discarded. A transmission system performance criteria is then its ability to discard the acceptable minimum number of messages and moreover its ability to discard preferably messages with relatively lower "importance" in regards of the process environment. A message "importance" is usually materialized by its static priority and specified by the application process. It is obvious that message specified transit delay - given by substracting its arrival time in the system from its delivery due date - ranges within given values for a given Process environment and its specified digitized distributed control system design which offer given mean transit time and throughput. But, there always exists instants at which the pending message delivery due date distribution is unpredetermined. Then
578
S. Sedillot
it belongs to some scheduling strategy to guarantee the transmission system performance - as defined above. Many scheduling strategies are currently investigated that can be classified according to their performance criteria : . The first borne strategy had higher throughput as the performance criteria : the idea is to minimize collision occurrences (wasted medium capacity) through sophisticated timout adjustment before retransmission attempts. Results are worth of consideration (Powell, 1981) but do not satisfy totally real-time specific performance although Tobagi (1982.1) shows that they perform as well as TDMA for packetized voice transmission under tolerable error rate. . The secund approach is to guarantee that no starvation (infinite access delay onto the medium) can occur. The round-robbin token passing serves that objective. But Fairness is not exactly what is requested in real-time. . A more interesting approach is a device based priority scheme (Kiesel, 1983 ; Powell, 1981 ; Chlamtac, 1979 ; Tobagi, 1983). After each successfull transmission, devices that wish to transmit either wait for a devicedependant period of time in which case the device with the shortest timout transmits safely when its timout issues, or one of them is safely allowed to transmit as a consequence of either its geographical position on the medium (Tobagi, 1983) or its name (priority) observed "on flight" by the other colliding devices (Powell, 1981). Of course a device-dependant transmission scheduling is not a real-time objective, but some of these algorithms (Tobagi, 1982.2) allow the instantaneous device priority to reflect the pending message priority. In that case, however all devices having pending messages of the same priority collide, and collision is solved among them through the basic CSMA strategy. . A last approach consists of combining the epoch concept and pending messages ordering (Le Lann, 1984 ; Costa, 1984). An epoch is a period of time during which all collided message transmission are serialized and during which no other message than the collided ones may be transmitted. Message ordering can be purely local : the first message to be transmitted has the highest priority. Priority can be of the j(m)+a*(T(m)-t) form where j(m) is message m static priority and T(m)-t its maximum allowed remaining time before its successfull transmission starts. Such time-dependant scheduling make it mandatory that all devices have closely synchronized physical clocks. There may also exist a global ordering through announcement whereby each device announces in every transmitted message m its next pending message priority. There is some approximation in the announcement because of unpredetermined local message arrival. This approach offers the advantage of giving any device its chance to transmit any message within two epochs upper-bound delay i.e. number-ofstation message * maximum - length -transmission delay). Its expected medium efficiency is of the same order of magnitude than those observed with the devicebased priority schemes. 6. HARD REAL-TIME SYSTEMS SERVICES
DISTRIBUTED
OPERATING
Hard real-time distributed operating systems must also provide specific services some of which are imbedded in the primitives offered to the application programs communication,file management, exception handling primitives - others being kept transparent to applications replication management data access control, scheduling, network monitoring. Rationale for these services are presented in the next sub-chapters. 6.1. Communication Primitives Basically, two distinct
primitives
are
necessary
to
express synchronous and asynchronous executions : . A
"notify" like primitive (Kramer, 1981 ; Liskov 1981 ; Kummer 1984) :
NOTIFY (message, dest 2... dest n, delivery time, static priority, | Ack |) to signal some information to one or more destination application programs. Optionally, the sender may desire to have an acknowledgment so as to process further ; the acknowledgment is expected to be generated by destination communication subsystems that deliver the message to the application processes. . A "request-reply" like primitive whereby the communication system knows that destination application processes are expected to reply to the sender. REQUEST-REPLY (message, dest 1...dest n, delivery time, static priority, timout value for reply) The timout value reply informs the system on the allowed period of time during which it must be able to receive the reply (Buffer reservation, retention of the message etc.). In case of timout expiration, the sender is notified. It is out of scope in this paper to argue about which layer should manage timout management. Clearly these primitives are addressed to some conversation manager located between application and transport layers (as defined by ISO). 6.2. Abstract Data-type Synchronizers Data in the system (sensors, actuators, stored data) have each specified access constraints (Allchin, 1981 ; Liskov, 1981, Stankovic, 1981 ; Schwarz, 1984) : these can be access rights, passwords defined by the users. Access constraints are also related to concurrent incompatible access requests by different subtasks. This problem is well known in the distributed database community. Incompatible simultaneous access requests are detected and serialized. Serialization avoids arbitrary writing and reading operations interleaving that could provide tasks with non consistent view of the data. Data synchronizers offer serialization services. Solutions are known that enable synchronizers to be fully decentralized, located on the same device that the data they somehow protect (Bernstein 1983). The most performant ones are based on data locking schemes (Augustin, 1984). Of course, non exclusive locks are highy desirable when possible (read, write). Maintaining data last versions may also improve the allowable concurrency of accesses (Reed, 1979). Conflicts may occur that lead to deadlock-infinite waiting by two or more different task subtasks-. Obviously timout-based deadlock resolution is not acceptable in hard-real-time systems. (Minet, 1984) proposes a deadlock resolution based on both task due dates and static priorities and the optimistic approach (Bernstein, 1983) thus releasing locks immediatly after execution instead of waiting for the task commitment (safe distributed termination protocol). Needless to say that synchronizers are transparent to applications. 6.3. Fault-tolerance services Beside timout and specific actions on timout expiration that can be explicitly specified by primitives in a subtask the operating system may provide data and subtask replication management (Goldberg, 1980) that is kept transparent to the applications. Such real-time mecanisms imply, first, to schedule replicated subtasks at the same time and, second, to determine some voting algorithm on their results so as to mask hardware or/and software faults. 6.4. Sub-tasks Scheduling Subtasks scheduling in a hard real-time distributed system is subject to the following set of constraints :
Distributed On-line Digitized Control Architectures . Scheduling must be decentralized for reliability and rapidity reasons, that is to say that each site has its own scheduler and schedules only subtasks that are to be processed locally. Thus, when a catalogued task is submitted to the system, a decomposer fixes for each subtask an execution context (Sedillot, 1980) that contains the subtask earliest start-time, due date and execution time. Each context is dispatched on to the site where the corresponding subtask must be processed. There is usually no flexibility in a process control environment as to where a subtask should be processed. . A scheduler must observe eventual precedence constraints concerning given sets of subtasks that are fixed by synchronizers. Hence schedule reordering and subtask preemption are prohibited since it would imply re-checking that the precedence constraints are observed. Subtasks contexts arrival time may be either predetermined (periodical for example) or unpredetermined. The delay between a subtask context arrival time and the subtask earliest start-time depends of the synchronization timings within a task subtasks ; as a result of this, a subtask context arrival implies three subsequent functions (figure 3) to be performed by the local operating system : - data access serialization by the synchronizers, - subtask insertion in the current schedule - several ordered subtasks may be waiting to be activated - by the scheduler, - activation, according to its scheduled time by the realtime monitor. t, Context arrival
579
In conclusion on these new aspects of scheduling, one should be aware that eventhough period of times may be reserved for predetermined subtasks and the system capacity specially designed to support a given load of unpredeter mined subtasks, the scheduler offers flexibility at the cost of subtask abortion or refusal, the number of which is minimized but task-priority observant. REFERENCES Allchin, J.E., and McKendry M.S. (1983). Support for Objects and Actions in Clouds. Office of Naval Research. Arlington USA, Technical report GH-ISC 83/11. Augustin R and Scholten H. (1984). Modelling Database Concurrency Control using a general purpose Performance Evaluation tool. Performance 84, Paris Dec. 1984, Gelenbe editor, North Holland publisher, pp. 69-86. Bernstein P.A. (1983). Concurrency control in distributed database systems. ACM computing surveys, June 1981, pp. 185-221. Bryant P. (1984). The protocols to operate above the connectionless network service. Discussion paper version 2, IBM PB 24, 29 July 1984. Bux W. and others (1983). A local-Area communication network based on a reliable token-ring system. Local Computer Networks, IFIP 1982. Cerf V.G. and Cain E. (1983). The DoD Internet Architecture Model. Computer Network, Vol. 7, No.5, Oct. 83, pp. 307-318.
DATA ACCESS SYNCHRONIZER
Chang J.M. and Maxemcluck N.F. (1983). Reliable Broadcast Protocols ACM Transactions on Computer Systems, Vol.2, No.3, August 1983, pp. 251-273. Chlamtac I. and others (1979). BRAM : the Broadcast Recognizing Access Method. IEEE Transactions on Communications, Vol. COM 27, No. 8 August 1979, pp. 1183-1189.
time REAL-TIME MONITOR e. - subtask t. earliest start-tine C. - subtask t. latest start-time
*i
l
Figure 3 : Subtask management The real-time monitor CPU to subtasks at promptness control, active time exceeds defined in its context.
has the responsability to allocate the right time and perform a that is, abort a subtask when its its specified execution time as
There may occur that given precedence and timing (earliest start-time and due-date) constraints, the scheduler cannot schedule a subtask without aborting one or more already scheduled subtasks. This is a conflict situation. A conflict resolution rule that is, how to decide whether the arriving subtask schedule is refused or already scheduled subtasks are aborted - must consider task atomicity whereby an aborted subtask involves its corresponding task abortion. Therefore, in order to minimize the task abortion number, any conflict resolution rule must be based on concurrent tasks, and not subtask, relative priority - task due date and static priority -. A last aspect is that a task state (currently under committment) may forbid its abortion.
Costa M.C. and others (1984). Real-time Local Area Networks : Source design and modeling issues. Rapport de recherche INRIA. To appear. Goldberg J. and others (1980). Development and Evaluation of a Software. Implemented Fault-tolerance (SIFT) computer : SIFT Operating System. SRI International. Menlo Park, Interim Technical Report 2. April 1980. Hindin H.J. (1982). Dual-chip sets forge vital link for Ethernet local network scheme. Electronics October 6, 1982, pp. 89-103. ISO. (1981). Data Processing Open Systems Interconnection Basic Reference Model. ISO/DP/7498. ISO. (1983, March). Data processing. Open Systems Interconnection. Transport Services Definition, ISO/DP/8072. ISO. (1983, Oct). Information Processing Systems. Open Systems Interconnection. Connection Oriented Transport Protocol Specification ISO/DP/8073. ISO. (1983, Nov). Information Processing Systems. Data Communication. Network Service Definition. ISO/DP/8348. ISO. (1984, April 1). Addendum to the Network Service Definition covering Connectionless-mode Transmission ISO/TC97/SC6 N 3152.
580
S. Sedillot
ISO. (1984, April 2). Information Processing Systems. Data Communication? 6 t n draft data link service definition for open systems interconnection. Working draft, ISO/TC97/SC6 N 3123.
Strole N.C. (1983). A local Communications Network Based on Interconnected Token-Access Rings : A tutorial. IBM Journal on research developments. Vol. 27, No.5, Sept. 1983, pp. 481-496.
ISO. (1984, June 1). Revised DP 8509. OSI Service Conventions ( 2 n d DP). ISO/TC97/SC16 N 1977.
Tobagi F.A. and others (1982(1)). On CSMA-CD Local Area Networks and Voice Communications. Infocom 82 Proceedings. Las Vegas, April 1982, IEEE Computer society editor, pp. 122-127.
ISO. (1984, June 2). Revised text for ISO 7498/DAD1. Addendum to 7498 covering connectionless mode transmission. ISQ/TC97/SC16 N 1917. ISO. (1984, August). Addendum to the Transport Service Definition Covering Connectionless Mode Transmission. ISO/TC/SC16N 2008. Kiesel W.M. and Kuelin P.J. (1983). A new CSMA-CD protocol for local area network with dynamic priorities and low collision probability. IEEE journal on selected areas in communications, Vol. SAC-1, No. 5, 1983, pp. 869-876. Kramer J. and others (1981). Intertask communication primitives for distributed computer control systems. 2D£! International conference on distributed computing system. Paris, April 1981, IEEE editor pp. 404-411. Kummer P.S. (1984). The need for Connectionless Network Services in the Data Acquisition Environment. Science and Engineering Council. Daresbury Laboratory. 27 Sept. 1984. Le Lann G. (1983). Trends in Industrial Local Area Networks. Advanced Course on Production Management, EIASM, Brussels, Jan. 1983. Le Lann G. (1984). Deterministic Multiple Access Protocols for Real-Time Local Area Networks. Rapport de recherche INRIA No.246, Oct. 1984, 13 p. Liskov B. (1981). Report on the workshop on fundamental issues in distributed computing. ACM Operating Systems Review. Vol. 15, No.3, July 1981, pp. 9-38. Minet P. and Sedillot S. (1984). Integration of real-time and consistency constraints in distributed databases. INRIA-Score internal report BAS-I-004. Nadkarni A.V. and others (1983). Performance on some local area network technologies. CQMPCON 83 proceedings, San Francisco, March 1983, pp. 137-141. Powell D.R. (1981). Performance evaluation and comparison of dependable channel access technique for locally distributed computing systems. 2 n d International conference on distributed systems. Paris, April 1981. IEEE editor, pp. 256-270. Reed D.P. (1979). Implementing Atomic actions on Decentralized Data. Proceedings of the 7JJ2 ACM Symposium on Operating System Principles, Dec. 1979. Saltzer J.H. and others (1981). End-to-end Arguments in System Design 2 n d International conference on distributed systems. Paris, April 1981. IEEE editor,, pp. 509-512. Schwarz P.M. and Spector A.Z. (1984). Synchronizing shared Abstract Datatypes. ACM Transactions on Computer Systems, Vol. 2, No.3, August 1984, pp. 233250. Sedillot S. and Sergent G. (1980). A protocol for distributed execution and consistent resource allocation. Compcon Fall Washington, Sept. 1980, IEEE editor, pp. 535-542. Stalling W. (1984). IEEE Project 802. Setting standards for local-area networks. Computer World, February 13, 1984, pp. ID27-ID.41.
Tobagi F.A. (1982(2)). Carrier Sense Multiple Access with Message Based Priority Functions. IEEE transactions on communications. Vol. COM-30, No.l, Jan. 1982, pp. 185200. Tobagi F.A. Performance IEEE Journal SAC-1. No.5,
and others (1983). Expressnet : A High Integrated Services Local Area Network. on selected areas in communications Vol. Nov. 1983, pp. 898-916.
DISTRIBUTED ON-LINE DIGITIZED CONTROL ARCHITECTURES FOR PROCESS CONTROL S. Sedillot Inria, BP 105 78153, Le Chesnay Cedex, France ABSTRACT A tremendous amount of investigations and realisations has been carried on for the last ten years in the domains of communication media and protocols, distributed database management, distributed operating systems and reliability resulting in significant progresses towards standardization. However, most of these results apply to on-line systems and relatively very little of this work is related to hard-real-time environments whereby specified bounds on processing delays are stringent and ranging from few millisecunds to few hundreds of millisecunds. Based on the ISO OSI-Reference Model analysis, rationale are presented for a reliable connectionless-mode, message due-date-dependant qualities of services and flexible conversation protocols above the transport layer. So as to support time-dependant transmission protocols, it is shown that the IEEE 802 Local Area Network standards must be enhanced in order to provide message transmission scheduling based on message due-dates. A task priority is defined as a function of both its static priority and its due-date. Data access serialization induces precedence constraints on task scheduling. Task resource allocation conflicts are solved though a unique task-priority-dependant resolution rule. Keywords : Process-Control ; Standards ; Time dependant priorities ; communication ; distributed operating system.
1. INTRODUCTION
2. DISTRIBUTED TASKS IN PROCESS CONTROL
Process monitoring and controlling architectures using interconnected computers have been already designed within the last twenty years, mainly in nuclear plants and defense environments. A tremendous amount of investigations and realisations has been carried on for the last ten years in the domains of communication media and protocols, distributed database management, distributed operating systems and reliability, resulting in significant progresses towards standardization. Thus, one can now more clearly specify both fundamental requirements for distributed systems users and families of mecanisms that are offered to solve them. However, most of these results apply to on-line systems for mailing, file-transfer, database requests and remote task executions. Expected response time is in the order of few secunds and may occasionally substantially increase. Relatively, very little work is related to hard-real-time environments whereby specified bounds on processing delays are stringent and ranging from few millisecunds to few hundreds of millisecunds. That is not say that results from networking in on-line environments do not apply whatsoever to hardreal-time ones. Precisely the scope of this paper is to present an overview on local on-line distributed systems mecanisms and state enhancements that must and may be brought to them, should they be used in a hard-real-time environments. In chapter 2 we give definitions concerning distributed tasks requirements in Process Control. Chapter 3 discusses the ability of the ISO standard proposals in supporting hard-real-time systems such as Process Control. Chapter k discusses ability of the IEEE 802 Model to support hard-real-time transmissions. Chapter 5 states enhancements to transmission protocols at level 1 and 2 (according to their defintion in the ISO and IEEE 802 models) so as to offer given transmission delays according to message qualification. Chapter 6 focusses on services that must be incorporated in distributed operating systems such as tasks scheduling, faulttolerance, serialization of concurrent data accesses so as to guarantee specified execution delays.
A distributed task is a set of synchronized subtasks, each of which must be executed on a dedicated device (Micro processor, multiprocessor or computer). Subtasks belonging to the same task are synchronized by message exchanges and/or timing constraints. Because of obvious reliability and geographical contraints, interconnected devices share no common memory. A subtask is a set of specified operations including sensor reading, output to actuators, data accesses (read, write, read-write, create, cancel) and exception handling. Although we should not restrict to that type of task, the catalogued type is the most frequently used. For a catalogued task, all subtasks (sequence of operations) are predetermined and described in system catalogs. In particular, subtask maximum execution times are provided. Tasks arrival times, that is the time at which they are submitted for execution, may be either unpredetermined or predetermined (e.g. periodical tasks). Tasks due dates are specified at their arrival time. Due to a task subtasks synchronization, each subtask has an earliest start-time and a due-date. A task is correctly executed if both its results (including outputs to actuators) are correct and the task is completed before its specified due date. Whenever a task is not correct, it is considered as a fault. In consequence, distributed operating systems and communication systems supporting Process Control are required to : - Schedule messages and subtasks, - Perform promptness control inducing late task rejection, - Offer fault-tolerance mecanisms guaranteeing that a specified rejection rate will not be exceeded, - Maintain their scheduling and fault-tolerance performances in spite of configuration changes (failed devices) and bursts of load (messages and tasks), provided these do not exceed specified characteristics.
575
S. Sedillot
576
3. ISO STANDARD CONTROL
PROPOSALS
AND
PROCESS
ISO (1981) specifies a basic Reference Model for data processing in Open Systems Interconnection (OSI-RM). The basic structuring concept is layering (figure 1). Each connected device (system) is seen as an ordered set of layered subsystems. Subsystems of the same layer communicate on a peer-to-peer basis via protocols (figure 1). Layer-(i) subsystems provide a set of normalized services to l a y e r - ( i + l ) subsystems.
7. Application 6. Presentation! 5. Session
■ff
4. Transport
Layer 5 U Services •Layer 5 — Protocol
4f
3. Network 2. Data link 1. Physical
Four services p r i m i t i v e s (ISO, 1984, June 1) define layer(i) interface w i t h l a y e r - ( i + l ) , which are, (i)-REQUEST and (i)-CONFIRM for a t r a n s m i t t i n g site, (i)-INDICATION and (i)-RESPONSE for a destination site (figure 2). Whether there exists a relationship between iRESPONSE and i-CONFIRM is protocol specification dependant.
(i)
d)
- REQUEST
- CONFIRM
The use of connectionless-mode transmission (ISO 1984, June, 2 ; ISO 1984, Aug.) is admitted at each layer. It permits to transmit a data unit (datagram) to one or more destinations. It is specified that a single service p r i m i t i v e should contain all the i n f o r m a t i o n required to deliver the datagram (destination address, quality of service selection, etc). Because of lack of resource, a destination subsystem may discard the datagram. Optionally, the destination subsystem may r e t u r n positive or negative acknowledgment to the t r a n s m i t t i n g subsystem. No retransmission function is provided, hence data unit retention at the t r a n s m i t t i n g site is not o f f e r e d . There are no a r c h i t e c t u r a l constraints on any v e r t i c a l combination of an (i)-layer providing one type of (i)service (connection-mode or connectionless-mode) using the other type of ( i - l ) - s e r v i c e . Layers 4 and 3 (Transport and Network) may provide conversion f r o m one service type to the other.
Figure 1 : The OSI-RM
Source Layer (i-s-1)
t w o communicating subsystems. A context contains the connection i d e n t i f i c a t i o n (it must be unique in the system during its lifetime), exchanged data units and acknowledgments references as w e l l as credits values for flow-control. A l l so-called management functions (buffer, CPU and peripherals allocation, data access consistency, network monitoring and controlling) are located in the application layer.
Destination , / . xLayer (i-:-l) Layer ( I ) 3
time
Figure 2 : Time-sequence diagram and p r i m i t i v e s in the OSI-RM Seven layers are defined that provide respectively f r o m layer 1 to layer 7, physical medium access, data link protocol (essentially f r a m i n g , m u l t i p l e x i n g , error and flow control on frames exchanged between two devices), network routing if any (including v i r t u a l c i r c u i t s establishment and management), transport services (namely f r a g m e n t a t i o n and reassembly, error and f l o w control on messages exchanged between two application processes), session services (conversation specificities between two remote applications), presentation services (agreement on how to represent data that have same semantics and different syntaxes within two communicating application processes) and f i n a l l y the application layer where the user processes reside. Error and f l o w - c o n t r o l require a connection management between two subsystems of the same layer. A connection is materialized by its context in each of the
(ISO. 1983, Oct) specifies four classes of transport connection management each of which includes connection establishment/release services and positive/negative acknowledgment of t r a n s m i t t e d data units ; they d i f f e r by the including or excluding of the t r a n s m i t t e d data unit retention f a c i l i t y , the expedited data f a c i l i t y (expedited data by-pass regular data units w a i t i n g t o be processed), resequencing at destination (delivering in the transmission order), connection recovery (connection re-establishment in case of layer 3 disconnection), flow control, multiplexing several transport connections onto a single network connection, retransmission on t i m o u t and concatenation of several data units belonging t o one or d i f f e r e n t transport connections into a single data unit delivered to layer 3. Connection-mode of transmissions in the network layer (ISO, 1983, Nov) and in the data-link layer (ISO, 1984, A p r i l , 2) are based on the same mecanisms. The Process-Control community l e g i t i m a c y expects the connection-mode t o induce a significant overhead on messages transit t i m e and consider that LANs physical media o f f e r a higher r e l i a b i l i t y than long haul networks. Therefore there emerges among them (Bryant, 1984 ; Kummer, 1984 ; Saltzer, 1981) a trend t o use connectionless-mode at layer 2 and 3 and connectionmode at layer 4. This a t t i t u d e is strenghtened by i n t e r n e t w o r k i n g necessities (Kummer, 1984 ; Cerf, 1983) : in that s i t u a t i o n , an end-to-end transport protocol is mandatory and therefore a connectionless-mode at layer 3 and 2 in each of the interconnected subnetworks seems s u f f i c i e n t in terms of r e l i a b i l i t y . Consequently, supporters of this approache argue for introducing in the connectionless-mode the retransmission facilities, eventhough they may be used optionally. Note that none of these statements exclude connection/connectionless-mode conversions on layers 3 f o r those devices that are used as gateways to either common carrier networks using X25 v i r t u a l circuits or t o any other connection oriented network. (ISO, 1983, March ; ISO, 1984, A p r i l 1 ; ISO, 1984, A p r i l , 2) define qualities of service offered by layers 4, 3 and 2 respectively. These are mean or maximum transit delay, throughput, error r a t e , connection l i f e t i m e e t c . Given their o f f e r e d value by the (i)-layer, layer-(i) users may negotiate smaller or larger values. Qualities of service are set once for a l l at the t i m e a connection is established
Distributed On-line Digitized Control Architectures
and must not be changed during the connection lifetime. In connectionless-mode, each transmit request contains the requested quality of service. Although these proposals are not yet frozen, hard-real-time environments users consider them not flexible enough. The FIFO ordering of messages in waiting queues (ISO, 1984, April, 2) and the fixed message class priority scheme (ISO, 1983, March) exclude transmission scheduling according to message-specific timedependant priorities. The last observation is made in regards of Process Control concerning the need to introduce at some layer (4, or 5) a conversation management. A conversation is an application dependant set of communiation rules between any given number of application processes. Conversation types may have different, not to say exclusive, properties. This is supported by Kummer (1984), Chang (1984), Bryant (1984), concerning broadcast or multicast of packetised voice, voting facility on replicated messages, procedural calls, periodical transmissions, e t c . This observation conforts the preference given to connectionless-mode at layer 3 and 2 and possibly at layer 4. 4. IEEE-802 PROPOSALS AND PROCESS CONTROL Both the proliferation of applications relying on LANs (particularly in the domain of office-automation) and manufacturers dynamism on preparing chips integrating lower levels (2 and 1) for accessing coaxial cable, have led the IEEE-802 Committee to coordinate LANs standards elaboration including layer 2, 1 and 0, namely Logical Link Level (LLC), Medium Access Control (MAC) and Physical level respectively. IEEE-802 proposals and ISO proposals are closely related. Physical media proposals rely on 1) 75 ohm CATV coaxial cable bus with modem and analog signaling which are domestically deployed in the USA, 2) baseband with digital signaling coaxial cables ranging from 4 to 40 Mbits/s and future use of optical fibers (Stalling 1984). Because we will discuss throuroughly MAC proposals, let us consider LLC proposal first. The IEEE 802 draft states clearly that real-time constraints are still out of scope. Connection and unacknowledged connectionless services are considered. They use the standard HDLC asynchroneous balanced mode of operation (Stallings, 1984). Three Medium Access Controls are in the scope of IEEE802, two of which, namely the token bus and the CSMACD have been already approved, the third beeing the token ring. . The token passing method consists in a special frame format (token) that circulates among devices granting to the owning device the exclusive right to transmit. .. The token ring is supported by IBM (Bux, 1982 ; Strole, 1983). The token circulates basically in a round-robin fashion, giving the right to transmit to successive devices on the ring. However for a non-upper-bounded period of time, a set of devices with priority p (7 priority level) may prevent any device with lower priority to access the channel. The use of priorities in relation with pending message delivery due dates is not addressed. Monitoring and controlling a unique token aliveness is performed by a dedicated device : the monitor. Lost token detection is based on a timout whose value depends on the number of devices. A passive monitor device monitors the token circulation and turns into monitor whenever it detects a token-related error. The monitor can preempt the token as it passesby and allocate it to devices that have declared periodical traffic .. This centralized controlling of the bus is avoided in the token bus access method. Each station has supervisory functions. The drawback is complexity of protocols so as prevent multiple token generation. The supervision
577
protocol also periodically uses the token to enquiry whether any new device has deleted or wishes to enter the logical ring. Devices are assigned logical positions in an ordered sequence with the last member of the sequence followed by the first. Optionally, one out of three priority classes is assigned to message (Stalling, 1983). Starvation may occur for messages in the two lower classes. The CSMA access method - popularized by Xerox Ethernet - is attractive in that it needs neither monitoring nor controlling special frames or newly logged out/on devices. It is based on the following medium access mecanism : listen and wait until the medium is idle then transmit, listen for collision detection during a period of time at least equal to twice the end-to-end propagation delay on the medium, ; If collision is detected, then stop transmission wait a random amount of time - backoff -and try again, starting with listening until the medium is idle. CSMA major drawbacks are 1) the starvation occurence due to the binary exponential back-off solution that doubles the backoff value before each repeated attempt to transmit the same frame, 2) the low performances in terms of medium utilisation when the ratio S*C/L increases, where S is the estimated time for collision detection, C the channel transmission speed and L the transmitted data unit length (Tobagi, 1982,1). 3) The message exponentially growing transmit time when the number of active devices increases. In counterpart, at low load, CSMA offers shorter transmit time -token passing is spared-and it is not sensitive to the number of connected devices (Nadkarni, 1983). Clearly none of the three methods is specifically designed for real-time applications (Le Lann, 1983). Given the market field, each has its supporters and chips embedding access method and LLC are currently commercialised or announced by manufacturers : DEC, INTEL, UngermannBass, Fujitsu, etc. (Hindin 1982) propose Ethernet, IBM supports the token ring whereas Philips and Concord data system support the token bus. One argument for the CSMA solution is that a tremendous amount of work is currently performed to offer CSMA upper-bounded collisions resolution times, some of which are compatible whith CSMA chips and necessitate only software added-value, as presented below. Note that both baseband and broadband media can support either of the CSMA or the token bus access methods. They only differ on physical signaling and capacity aspects. 5. ENHANCEMENTS TO TRANSMISSION PROTOCOLS AT LEVEL 1 AND 2 FOR HARD REAL-TIME ENVIRONMENTS Inherent to Process Control is the obligation for transmission protocols to assume that each message must be either delivered before its specified delivery due date or discarded. A transmission system performance criteria is then its ability to discard the acceptable minimum number of messages and moreover its ability to discard preferably messages with relatively lower "importance" in regards of the process environment. A message "importance" is usually materialized by its static priority and specified by the application process. It is obvious that message specified transit delay - given by substracting its arrival time in the system from its delivery due date - ranges within given values for a given Process environment and its specified digitized distributed control system design which offer given mean transit time and throughput. But, there always exists instants at which the pending message delivery due date distribution is unpredetermined. Then
578
S. Sedillot
it belongs to some scheduling strategy to guarantee the transmission system performance - as defined above. Many scheduling strategies are currently investigated that can be classified according to their performance criteria : . The first borne strategy had higher throughput as the performance criteria : the idea is to minimize collision occurrences (wasted medium capacity) through sophisticated timout adjustment before retransmission attempts. Results are worth of consideration (Powell, 1981) but do not satisfy totally real-time specific performance although Tobagi (1982.1) shows that they perform as well as TDMA for packetized voice transmission under tolerable error rate. . The secund approach is to guarantee that no starvation (infinite access delay onto the medium) can occur. The round-robbin token passing serves that objective. But Fairness is not exactly what is requested in real-time. . A more interesting approach is a device based priority scheme (Kiesel, 1983 ; Powell, 1981 ; Chlamtac, 1979 ; Tobagi, 1983). After each successfull transmission, devices that wish to transmit either wait for a devicedependant period of time in which case the device with the shortest timout transmits safely when its timout issues, or one of them is safely allowed to transmit as a consequence of either its geographical position on the medium (Tobagi, 1983) or its name (priority) observed "on flight" by the other colliding devices (Powell, 1981). Of course a device-dependant transmission scheduling is not a real-time objective, but some of these algorithms (Tobagi, 1982.2) allow the instantaneous device priority to reflect the pending message priority. In that case, however all devices having pending messages of the same priority collide, and collision is solved among them through the basic CSMA strategy. . A last approach consists of combining the epoch concept and pending messages ordering (Le Lann, 1984 ; Costa, 1984). An epoch is a period of time during which all collided message transmission are serialized and during which no other message than the collided ones may be transmitted. Message ordering can be purely local : the first message to be transmitted has the highest priority. Priority can be of the j(m)+a*(T(m)-t) form where j(m) is message m static priority and T(m)-t its maximum allowed remaining time before its successfull transmission starts. Such time-dependant scheduling make it mandatory that all devices have closely synchronized physical clocks. There may also exist a global ordering through announcement whereby each device announces in every transmitted message m its next pending message priority. There is some approximation in the announcement because of unpredetermined local message arrival. This approach offers the advantage of giving any device its chance to transmit any message within two epochs upper-bound delay i.e. number-ofstation message * maximum - length -transmission delay). Its expected medium efficiency is of the same order of magnitude than those observed with the devicebased priority schemes. 6. HARD REAL-TIME SYSTEMS SERVICES
DISTRIBUTED
OPERATING
Hard real-time distributed operating systems must also provide specific services some of which are imbedded in the primitives offered to the application programs communication,file management, exception handling primitives - others being kept transparent to applications replication management data access control, scheduling, network monitoring. Rationale for these services are presented in the next sub-chapters. 6.1. Communication Primitives Basically, two distinct
primitives
are
necessary
to
express synchronous and asynchronous executions : . A
"notify" like primitive (Kramer, 1981 ; Liskov 1981 ; Kummer 1984) :
NOTIFY (message, dest 2... dest n, delivery time, static priority, | Ack |) to signal some information to one or more destination application programs. Optionally, the sender may desire to have an acknowledgment so as to process further ; the acknowledgment is expected to be generated by destination communication subsystems that deliver the message to the application processes. . A "request-reply" like primitive whereby the communication system knows that destination application processes are expected to reply to the sender. REQUEST-REPLY (message, dest 1...dest n, delivery time, static priority, timout value for reply) The timout value reply informs the system on the allowed period of time during which it must be able to receive the reply (Buffer reservation, retention of the message etc.). In case of timout expiration, the sender is notified. It is out of scope in this paper to argue about which layer should manage timout management. Clearly these primitives are addressed to some conversation manager located between application and transport layers (as defined by ISO). 6.2. Abstract Data-type Synchronizers Data in the system (sensors, actuators, stored data) have each specified access constraints (Allchin, 1981 ; Liskov, 1981, Stankovic, 1981 ; Schwarz, 1984) : these can be access rights, passwords defined by the users. Access constraints are also related to concurrent incompatible access requests by different subtasks. This problem is well known in the distributed database community. Incompatible simultaneous access requests are detected and serialized. Serialization avoids arbitrary writing and reading operations interleaving that could provide tasks with non consistent view of the data. Data synchronizers offer serialization services. Solutions are known that enable synchronizers to be fully decentralized, located on the same device that the data they somehow protect (Bernstein 1983). The most performant ones are based on data locking schemes (Augustin, 1984). Of course, non exclusive locks are highy desirable when possible (read, write). Maintaining data last versions may also improve the allowable concurrency of accesses (Reed, 1979). Conflicts may occur that lead to deadlock-infinite waiting by two or more different task subtasks-. Obviously timout-based deadlock resolution is not acceptable in hard-real-time systems. (Minet, 1984) proposes a deadlock resolution based on both task due dates and static priorities and the optimistic approach (Bernstein, 1983) thus releasing locks immediatly after execution instead of waiting for the task commitment (safe distributed termination protocol). Needless to say that synchronizers are transparent to applications. 6.3. Fault-tolerance services Beside timout and specific actions on timout expiration that can be explicitly specified by primitives in a subtask the operating system may provide data and subtask replication management (Goldberg, 1980) that is kept transparent to the applications. Such real-time mecanisms imply, first, to schedule replicated subtasks at the same time and, second, to determine some voting algorithm on their results so as to mask hardware or/and software faults. 6.4. Sub-tasks Scheduling Subtasks scheduling in a hard real-time distributed system is subject to the following set of constraints :
Distributed On-line Digitized Control Architectures . Scheduling must be decentralized for reliability and rapidity reasons, that is to say that each site has its own scheduler and schedules only subtasks that are to be processed locally. Thus, when a catalogued task is submitted to the system, a decomposer fixes for each subtask an execution context (Sedillot, 1980) that contains the subtask earliest start-time, due date and execution time. Each context is dispatched on to the site where the corresponding subtask must be processed. There is usually no flexibility in a process control environment as to where a subtask should be processed. . A scheduler must observe eventual precedence constraints concerning given sets of subtasks that are fixed by synchronizers. Hence schedule reordering and subtask preemption are prohibited since it would imply re-checking that the precedence constraints are observed. Subtasks contexts arrival time may be either predetermined (periodical for example) or unpredetermined. The delay between a subtask context arrival time and the subtask earliest start-time depends of the synchronization timings within a task subtasks ; as a result of this, a subtask context arrival implies three subsequent functions (figure 3) to be performed by the local operating system : - data access serialization by the synchronizers, - subtask insertion in the current schedule - several ordered subtasks may be waiting to be activated - by the scheduler, - activation, according to its scheduled time by the realtime monitor. t, Context arrival
579
In conclusion on these new aspects of scheduling, one should be aware that eventhough period of times may be reserved for predetermined subtasks and the system capacity specially designed to support a given load of unpredeter mined subtasks, the scheduler offers flexibility at the cost of subtask abortion or refusal, the number of which is minimized but task-priority observant. REFERENCES Allchin, J.E., and McKendry M.S. (1983). Support for Objects and Actions in Clouds. Office of Naval Research. Arlington USA, Technical report GH-ISC 83/11. Augustin R and Scholten H. (1984). Modelling Database Concurrency Control using a general purpose Performance Evaluation tool. Performance 84, Paris Dec. 1984, Gelenbe editor, North Holland publisher, pp. 69-86. Bernstein P.A. (1983). Concurrency control in distributed database systems. ACM computing surveys, June 1981, pp. 185-221. Bryant P. (1984). The protocols to operate above the connectionless network service. Discussion paper version 2, IBM PB 24, 29 July 1984. Bux W. and others (1983). A local-Area communication network based on a reliable token-ring system. Local Computer Networks, IFIP 1982. Cerf V.G. and Cain E. (1983). The DoD Internet Architecture Model. Computer Network, Vol. 7, No.5, Oct. 83, pp. 307-318.
DATA ACCESS SYNCHRONIZER
Chang J.M. and Maxemcluck N.F. (1983). Reliable Broadcast Protocols ACM Transactions on Computer Systems, Vol.2, No.3, August 1983, pp. 251-273. Chlamtac I. and others (1979). BRAM : the Broadcast Recognizing Access Method. IEEE Transactions on Communications, Vol. COM 27, No. 8 August 1979, pp. 1183-1189.
time REAL-TIME MONITOR e. - subtask t. earliest start-tine C. - subtask t. latest start-time
*i
l
Figure 3 : Subtask management The real-time monitor CPU to subtasks at promptness control, active time exceeds defined in its context.
has the responsability to allocate the right time and perform a that is, abort a subtask when its its specified execution time as
There may occur that given precedence and timing (earliest start-time and due-date) constraints, the scheduler cannot schedule a subtask without aborting one or more already scheduled subtasks. This is a conflict situation. A conflict resolution rule that is, how to decide whether the arriving subtask schedule is refused or already scheduled subtasks are aborted - must consider task atomicity whereby an aborted subtask involves its corresponding task abortion. Therefore, in order to minimize the task abortion number, any conflict resolution rule must be based on concurrent tasks, and not subtask, relative priority - task due date and static priority -. A last aspect is that a task state (currently under committment) may forbid its abortion.
Costa M.C. and others (1984). Real-time Local Area Networks : Source design and modeling issues. Rapport de recherche INRIA. To appear. Goldberg J. and others (1980). Development and Evaluation of a Software. Implemented Fault-tolerance (SIFT) computer : SIFT Operating System. SRI International. Menlo Park, Interim Technical Report 2. April 1980. Hindin H.J. (1982). Dual-chip sets forge vital link for Ethernet local network scheme. Electronics October 6, 1982, pp. 89-103. ISO. (1981). Data Processing Open Systems Interconnection Basic Reference Model. ISO/DP/7498. ISO. (1983, March). Data processing. Open Systems Interconnection. Transport Services Definition, ISO/DP/8072. ISO. (1983, Oct). Information Processing Systems. Open Systems Interconnection. Connection Oriented Transport Protocol Specification ISO/DP/8073. ISO. (1983, Nov). Information Processing Systems. Data Communication. Network Service Definition. ISO/DP/8348. ISO. (1984, April 1). Addendum to the Network Service Definition covering Connectionless-mode Transmission ISO/TC97/SC6 N 3152.
580
S. Sedillot
ISO. (1984, April 2). Information Processing Systems. Data Communication? 6 t n draft data link service definition for open systems interconnection. Working draft, ISO/TC97/SC6 N 3123.
Strole N.C. (1983). A local Communications Network Based on Interconnected Token-Access Rings : A tutorial. IBM Journal on research developments. Vol. 27, No.5, Sept. 1983, pp. 481-496.
ISO. (1984, June 1). Revised DP 8509. OSI Service Conventions ( 2 n d DP). ISO/TC97/SC16 N 1977.
Tobagi F.A. and others (1982(1)). On CSMA-CD Local Area Networks and Voice Communications. Infocom 82 Proceedings. Las Vegas, April 1982, IEEE Computer society editor, pp. 122-127.
ISO. (1984, June 2). Revised text for ISO 7498/DAD1. Addendum to 7498 covering connectionless mode transmission. ISQ/TC97/SC16 N 1917. ISO. (1984, August). Addendum to the Transport Service Definition Covering Connectionless Mode Transmission. ISO/TC/SC16N 2008. Kiesel W.M. and Kuelin P.J. (1983). A new CSMA-CD protocol for local area network with dynamic priorities and low collision probability. IEEE journal on selected areas in communications, Vol. SAC-1, No. 5, 1983, pp. 869-876. Kramer J. and others (1981). Intertask communication primitives for distributed computer control systems. 2D£! International conference on distributed computing system. Paris, April 1981, IEEE editor pp. 404-411. Kummer P.S. (1984). The need for Connectionless Network Services in the Data Acquisition Environment. Science and Engineering Council. Daresbury Laboratory. 27 Sept. 1984. Le Lann G. (1983). Trends in Industrial Local Area Networks. Advanced Course on Production Management, EIASM, Brussels, Jan. 1983. Le Lann G. (1984). Deterministic Multiple Access Protocols for Real-Time Local Area Networks. Rapport de recherche INRIA No.246, Oct. 1984, 13 p. Liskov B. (1981). Report on the workshop on fundamental issues in distributed computing. ACM Operating Systems Review. Vol. 15, No.3, July 1981, pp. 9-38. Minet P. and Sedillot S. (1984). Integration of real-time and consistency constraints in distributed databases. INRIA-Score internal report BAS-I-004. Nadkarni A.V. and others (1983). Performance on some local area network technologies. CQMPCON 83 proceedings, San Francisco, March 1983, pp. 137-141. Powell D.R. (1981). Performance evaluation and comparison of dependable channel access technique for locally distributed computing systems. 2 n d International conference on distributed systems. Paris, April 1981. IEEE editor, pp. 256-270. Reed D.P. (1979). Implementing Atomic actions on Decentralized Data. Proceedings of the 7JJ2 ACM Symposium on Operating System Principles, Dec. 1979. Saltzer J.H. and others (1981). End-to-end Arguments in System Design 2 n d International conference on distributed systems. Paris, April 1981. IEEE editor,, pp. 509-512. Schwarz P.M. and Spector A.Z. (1984). Synchronizing shared Abstract Datatypes. ACM Transactions on Computer Systems, Vol. 2, No.3, August 1984, pp. 233250. Sedillot S. and Sergent G. (1980). A protocol for distributed execution and consistent resource allocation. Compcon Fall Washington, Sept. 1980, IEEE editor, pp. 535-542. Stalling W. (1984). IEEE Project 802. Setting standards for local-area networks. Computer World, February 13, 1984, pp. ID27-ID.41.
Tobagi F.A. (1982(2)). Carrier Sense Multiple Access with Message Based Priority Functions. IEEE transactions on communications. Vol. COM-30, No.l, Jan. 1982, pp. 185200. Tobagi F.A. Performance IEEE Journal SAC-1. No.5,
and others (1983). Expressnet : A High Integrated Services Local Area Network. on selected areas in communications Vol. Nov. 1983, pp. 898-916.